From 6e28fa47a2ce371c33306c84a8f48b935a85eb2d Mon Sep 17 00:00:00 2001
From: Cody <cody@decacon.com>
Date: Thu, 14 May 2020 14:03:09 -0700
Subject: [PATCH 1/7] container class added to pane

resolves issue with title border DIV not utilizing 100% pane size
---
 Oqtane.Client/UI/Pane.razor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Oqtane.Client/UI/Pane.razor b/Oqtane.Client/UI/Pane.razor
index 9d0c7dd4..48f4d0ce 100644
--- a/Oqtane.Client/UI/Pane.razor
+++ b/Oqtane.Client/UI/Pane.razor
@@ -32,7 +32,7 @@
         }
         else
         {
-            _paneadminborder = "";
+            _paneadminborder = "container";
             _panetitle = "";
         }
 

From 422f3608072bc775db381678d5830dbd5c505b4a Mon Sep 17 00:00:00 2001
From: Cody <cody@decacon.com>
Date: Thu, 14 May 2020 14:58:09 -0700
Subject: [PATCH 2/7] disabled changed to readonly

---
 Oqtane.Client/Modules/Admin/SystemInfo/Index.razor | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Oqtane.Client/Modules/Admin/SystemInfo/Index.razor b/Oqtane.Client/Modules/Admin/SystemInfo/Index.razor
index 8e19125f..ca7c7f2c 100644
--- a/Oqtane.Client/Modules/Admin/SystemInfo/Index.razor
+++ b/Oqtane.Client/Modules/Admin/SystemInfo/Index.razor
@@ -8,7 +8,7 @@
             <Label For="version" HelpText="Framework Version">Framework Version: </Label>
         </td>
         <td>
-            <input id="version" class="form-control" @bind="@_version" disabled />
+            <input id="version" class="form-control" @bind="@_version" readonly />
         </td>
     </tr>
     <tr>
@@ -16,7 +16,7 @@
             <Label For="runtime" HelpText="Blazor Runtime (Server or WebAssembly)">Blazor Runtime: </Label>
         </td>
         <td>
-            <input id="runtime" class="form-control" @bind="@_runtime" disabled />
+            <input id="runtime" class="form-control" @bind="@_runtime" readonly />
         </td>
     </tr>
     <tr>
@@ -24,7 +24,7 @@
             <Label For="clrversion" HelpText="Common Language Runtime Version">CLR Version: </Label>
         </td>
         <td>
-            <input id="clrversion" class="form-control" @bind="@_clrversion" disabled />
+            <input id="clrversion" class="form-control" @bind="@_clrversion" readonly />
         </td>
     </tr>
     <tr>
@@ -32,7 +32,7 @@
             <Label For="osversion" HelpText="Operating System Version">OS Version: </Label>
         </td>
         <td>
-            <input id="osversion" class="form-control" @bind="@_osversion" disabled />
+            <input id="osversion" class="form-control" @bind="@_osversion" readonly />
         </td>
     </tr>
     <tr>
@@ -40,7 +40,7 @@
             <Label For="serverpath" HelpText="Server Path">Server Path: </Label>
         </td>
         <td>
-            <input id="serverpath" class="form-control" @bind="@_serverpath" disabled />
+            <input id="serverpath" class="form-control" @bind="@_serverpath" readonly />
         </td>
     </tr>
     <tr>
@@ -48,7 +48,7 @@
             <Label For="servertime" HelpText="Server Time">Server Time: </Label>
         </td>
         <td>
-            <input id="servertime" class="form-control" @bind="@_servertime" disabled />
+            <input id="servertime" class="form-control" @bind="@_servertime" readonly />
         </td>
     </tr>
 </table>

From 39641804f1c93814cd7a19aa3dd8538d81158dee Mon Sep 17 00:00:00 2001
From: Jim Spillane <james.a.spillane@gmail.com>
Date: Thu, 14 May 2020 22:02:57 -0400
Subject: [PATCH 3/7] Move Path and File validation to Shared Utilities

Created extension methods:
IsPathValid(Folder)
IsFileValid(File)
IsPathOrFileValid(string)

Added client side validation check for Folders.
---
 Oqtane.Client/Modules/Admin/Files/Edit.razor  | 98 ++++++++++---------
 Oqtane.Server/Controllers/FolderController.cs | 12 +--
 Oqtane.Shared/Shared/Utilities.cs             | 19 ++++
 3 files changed, 73 insertions(+), 56 deletions(-)

diff --git a/Oqtane.Client/Modules/Admin/Files/Edit.razor b/Oqtane.Client/Modules/Admin/Files/Edit.razor
index 1d7ddc81..5d42485b 100644
--- a/Oqtane.Client/Modules/Admin/Files/Edit.razor
+++ b/Oqtane.Client/Modules/Admin/Files/Edit.razor
@@ -25,7 +25,7 @@
         </tr>
         <tr>
             <td>
-                <Label for="name" HelpText="Enter the file name">Name: </Label>
+                <Label for="name" HelpText="Enter the folder name">Name: </Label>
             </td>
             <td>
                 <input id="name" class="form-control" @bind="@_name" />
@@ -112,57 +112,63 @@
 
     private async Task SaveFolder()
     {
+        if (_name == string.Empty || _parentId == -1)
+        {
+            AddModuleMessage("Folders Must Have A Parent And A Name", MessageType.Warning);
+            return;
+        }
+
+        if (!_name.IsPathOrFileValid())
+        {
+            AddModuleMessage("Folder Name Not Valid.", MessageType.Warning);
+            return;
+        }
+        
         try
         {
-            if (_name != string.Empty && _parentId != -1)
+            Folder folder;
+            if (_folderId != -1)
             {
-                Folder folder;
-                if (_folderId != -1)
-                {
-                    folder = await FolderService.GetFolderAsync(_folderId);
-                }
-                else
-                {
-                    folder = new Folder();
-                }
-
-                folder.SiteId = PageState.Site.SiteId;
-
-                if (_parentId == -1)
-                {
-                    folder.ParentId = null;
-                }
-                else
-                {
-                    folder.ParentId = _parentId;
-                }
-
-                folder.Name = _name;
-                folder.IsSystem = _isSystem;
-                folder.Permissions = _permissionGrid.GetPermissions();
-
-                if (_folderId != -1)
-                {
-                    folder = await FolderService.UpdateFolderAsync(folder);
-                }
-                else
-                {
-                    folder = await FolderService.AddFolderAsync(folder);
-                }
-                if (folder != null)
-                {
-                    await FolderService.UpdateFolderOrderAsync(folder.SiteId, folder.FolderId, folder.ParentId);
-                    await logger.LogInformation("Folder Saved {Folder}", folder);
-                    NavigationManager.NavigateTo(NavigateUrl());
-                }
-                else
-                {
-                    AddModuleMessage("An Error Was Encountered Saving The Folder", MessageType.Error);
-                }
+                folder = await FolderService.GetFolderAsync(_folderId);
             }
             else
             {
-                AddModuleMessage("Folders Must Have A Parent And A Name", MessageType.Warning);
+                folder = new Folder();
+            }
+
+            folder.SiteId = PageState.Site.SiteId;
+
+            if (_parentId == -1)
+            {
+                folder.ParentId = null;
+            }
+            else
+            {
+                folder.ParentId = _parentId;
+            }
+
+            folder.Name = _name;
+            folder.IsSystem = _isSystem;
+            folder.Permissions = _permissionGrid.GetPermissions();
+
+            if (_folderId != -1)
+            {
+                folder = await FolderService.UpdateFolderAsync(folder);
+            }
+            else
+            {
+                folder = await FolderService.AddFolderAsync(folder);
+            }
+
+            if (folder != null)
+            {
+                await FolderService.UpdateFolderOrderAsync(folder.SiteId, folder.FolderId, folder.ParentId);
+                await logger.LogInformation("Folder Saved {Folder}", folder);
+                NavigationManager.NavigateTo(NavigateUrl());
+            }
+            else
+            {
+                AddModuleMessage("An Error Was Encountered Saving The Folder", MessageType.Error);
             }
         }
         catch (Exception ex)
diff --git a/Oqtane.Server/Controllers/FolderController.cs b/Oqtane.Server/Controllers/FolderController.cs
index fb824641..ebaaa590 100644
--- a/Oqtane.Server/Controllers/FolderController.cs
+++ b/Oqtane.Server/Controllers/FolderController.cs
@@ -105,7 +105,7 @@ namespace Oqtane.Controllers
                 }
                 if (_userPermissions.IsAuthorized(User, PermissionNames.Edit, permissions))
                 {
-                    if (FolderPathValid(folder))
+                    if (folder.IsPathValid())
                     {
                         if (string.IsNullOrEmpty(folder.Path) && folder.ParentId != null)
                         {
@@ -140,7 +140,7 @@ namespace Oqtane.Controllers
         {
             if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Folder, folder.FolderId, PermissionNames.Edit))
             {
-                if (FolderPathValid(folder))
+                if (folder.IsPathValid())
                 {
                     if (string.IsNullOrEmpty(folder.Path) && folder.ParentId != null)
                     {
@@ -210,13 +210,5 @@ namespace Oqtane.Controllers
                 HttpContext.Response.StatusCode = 401;
             }
         }
-
-        private bool FolderPathValid(Folder folder)
-        {
-            // prevent folder path traversal and reserved devices
-            return (folder.Name.IndexOfAny(Constants.InvalidFileNameChars) == -1 &&
-                    !Constants.InvalidFileNameEndingChars.Any(x => folder.Name.EndsWith(x)) &&
-                    !Constants.ReservedDevices.Split(',').Contains(folder.Name.ToUpper().Split('.')[0]));
-        }
     }
 }
diff --git a/Oqtane.Shared/Shared/Utilities.cs b/Oqtane.Shared/Shared/Utilities.cs
index 11bef4dd..de81561b 100644
--- a/Oqtane.Shared/Shared/Utilities.cs
+++ b/Oqtane.Shared/Shared/Utilities.cs
@@ -2,8 +2,10 @@
 using System;
 using System.Globalization;
 using System.IO;
+using System.Linq;
 using System.Text;
 using System.Text.RegularExpressions;
+using File = Oqtane.Models.File;
 
 namespace Oqtane.Shared
 {
@@ -254,5 +256,22 @@ namespace Oqtane.Shared
             
             return Path.Combine(segments).TrimEnd(); 
         }
+
+        public static bool IsPathValid(this Folder folder)
+        {
+            return IsPathOrFileValid(folder.Name);
+        }
+
+        public static bool IsFileValid(this File file)
+        {
+            return IsPathOrFileValid(file.Name);
+        }
+
+        public static bool IsPathOrFileValid(this string name)
+        {
+            return (name.IndexOfAny(Constants.InvalidFileNameChars) == -1 &&
+                    !Constants.InvalidFileNameEndingChars.Any(name.EndsWith) &&
+                    !Constants.ReservedDevices.Split(',').Contains(name.ToUpper().Split('.')[0]));
+        }
     }
 }

From 5e04cb18a456199c3050934be44d7d1c356ed48e Mon Sep 17 00:00:00 2001
From: Pavel Vesely <pavel@vesely.dev>
Date: Fri, 15 May 2020 08:18:07 +0200
Subject: [PATCH 4/7] File Manager Tune-up

---
 Oqtane.Client/Modules/Admin/Files/Add.razor   |   2 +-
 .../Modules/Admin/ModuleDefinitions/Add.razor |   2 +-
 Oqtane.Client/Modules/Admin/Site/Index.razor  |   8 +-
 Oqtane.Client/Modules/Admin/Themes/Add.razor  |   2 +-
 .../Modules/Admin/UserProfile/Index.razor     |   2 +-
 Oqtane.Client/Modules/Admin/Users/Edit.razor  |   2 +-
 .../Modules/Controls/FileManager.razor        | 163 +++++++++---------
 7 files changed, 87 insertions(+), 94 deletions(-)

diff --git a/Oqtane.Client/Modules/Admin/Files/Add.razor b/Oqtane.Client/Modules/Admin/Files/Add.razor
index a01b9b1c..653f5cf3 100644
--- a/Oqtane.Client/Modules/Admin/Files/Add.razor
+++ b/Oqtane.Client/Modules/Admin/Files/Add.razor
@@ -12,7 +12,7 @@
                     <Label For="upload" HelpText="Upload the file you want">Upload: </Label>
                 </td>
                 <td>
-                    <FileManager UploadMultiple="true" ShowFiles="false" FolderId="@_folderId.ToString()" />
+                    <FileManager UploadMultiple="true" ShowFiles="false" FolderId="@_folderId" />
                 </td>
             </tr>
         </table>
diff --git a/Oqtane.Client/Modules/Admin/ModuleDefinitions/Add.razor b/Oqtane.Client/Modules/Admin/ModuleDefinitions/Add.razor
index a63784bc..db9186bd 100644
--- a/Oqtane.Client/Modules/Admin/ModuleDefinitions/Add.razor
+++ b/Oqtane.Client/Modules/Admin/ModuleDefinitions/Add.razor
@@ -35,7 +35,7 @@
                         <Label HelpText="Upload one or more module packages. Once they are uploaded click Install to complete the installation.">Module: </Label>
                     </td>
                     <td>
-                        <FileManager Filter="nupkg" ShowFiles="false" Folder="Modules" UploadMultiple="True" />
+                        <FileManager Filter="nupkg" ShowFiles="false" Folder="Modules" UploadMultiple="true" />
                     </td>
                 </tr>
             </table>
diff --git a/Oqtane.Client/Modules/Admin/Site/Index.razor b/Oqtane.Client/Modules/Admin/Site/Index.razor
index e4bae61e..3f3425f6 100644
--- a/Oqtane.Client/Modules/Admin/Site/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Site/Index.razor
@@ -39,7 +39,7 @@
                 <Label For="logo" HelpText="Upload a logo for the site">Logo: </Label>
             </td>
             <td>
-                <FileManager FileId="@_logofileid.ToString()" Filter="@Constants.ImageFiles" @ref="_logofilemanager" />
+                <FileManager FileId="@_logofileid" Filter="@Constants.ImageFiles" @ref="_logofilemanager" />
             </td>
         </tr>
         <tr>
@@ -47,7 +47,7 @@
                 <Label For="favicon" HelpText="Select Your default icon">Favicon: </Label>
             </td>
             <td>
-                <FileManager FileId="@_faviconfileid.ToString()" Filter="ico" @ref="_faviconfilemanager" />
+                <FileManager FileId="@_faviconfileid" Filter="ico" @ref="_faviconfilemanager" />
             </td>
         </tr>
         <tr>
@@ -185,7 +185,7 @@
                     <Label For="appIcon" HelpText="Include an application icon for your PWA. It should be a PNG which is 192 X 192 pixels in dimension.">App Icon: </Label>
                 </td>
                 <td>
-                    <FileManager FileId="@_pwaappiconfileid.ToString()" Filter="png" @ref="_pwaappiconfilemanager" />
+                    <FileManager FileId="@_pwaappiconfileid" Filter="png" @ref="_pwaappiconfilemanager" />
                 </td>
             </tr>
             <tr>
@@ -193,7 +193,7 @@
                     <Label For="splashIcon" HelpText="Include a splash icon for your PWA. It should be a PNG which is 512 X 512 pixels in dimension.">Splash Icon: </Label>
                 </td>
                 <td>
-                    <FileManager FileId="@_pwasplashiconfileid.ToString()" Filter="png" @ref="_pwasplashiconfilemanager" />
+                    <FileManager FileId="@_pwasplashiconfileid" Filter="png" @ref="_pwasplashiconfilemanager" />
                 </td>
             </tr>
         </table>
diff --git a/Oqtane.Client/Modules/Admin/Themes/Add.razor b/Oqtane.Client/Modules/Admin/Themes/Add.razor
index 5ad4f5c6..da47d8a9 100644
--- a/Oqtane.Client/Modules/Admin/Themes/Add.razor
+++ b/Oqtane.Client/Modules/Admin/Themes/Add.razor
@@ -35,7 +35,7 @@
                     <Label HelpText="Upload one or more theme packages. Once they are uploaded click Install to complete the installation.">Theme: </Label>
                 </td>
                 <td>
-                    <FileManager Filter="nupkg" ShowFiles="false" Folder="Themes" UploadMultiple="True" />
+                    <FileManager Filter="nupkg" ShowFiles="false" Folder="Themes" UploadMultiple="@true" />
                 </td>
             </tr>
         </table>
diff --git a/Oqtane.Client/Modules/Admin/UserProfile/Index.razor b/Oqtane.Client/Modules/Admin/UserProfile/Index.razor
index 6f3ab545..fec53f62 100644
--- a/Oqtane.Client/Modules/Admin/UserProfile/Index.razor
+++ b/Oqtane.Client/Modules/Admin/UserProfile/Index.razor
@@ -64,7 +64,7 @@ else
                         <label for="Name" class="control-label">Photo: </label>
                     </td>
                     <td>
-                        <FileManager FileId="@photofileid.ToString()" @ref="filemanager" />
+                        <FileManager FileId="@photofileid" @ref="filemanager" />
                     </td>
                 </tr>
             </table>
diff --git a/Oqtane.Client/Modules/Admin/Users/Edit.razor b/Oqtane.Client/Modules/Admin/Users/Edit.razor
index 3aa30e1b..95449f2d 100644
--- a/Oqtane.Client/Modules/Admin/Users/Edit.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Edit.razor
@@ -63,7 +63,7 @@ else
                         <label class="control-label">Photo: </label>
                     </td>
                     <td>
-                        <FileManager FileId="@photofileid.ToString()" @ref="filemanager" />
+                        <FileManager FileId="@photofileid" @ref="filemanager" />
                     </td>
                 </tr>
                 <tr>
diff --git a/Oqtane.Client/Modules/Controls/FileManager.razor b/Oqtane.Client/Modules/Controls/FileManager.razor
index 8dc70ffb..35f04706 100644
--- a/Oqtane.Client/Modules/Controls/FileManager.razor
+++ b/Oqtane.Client/Modules/Controls/FileManager.razor
@@ -1,5 +1,6 @@
 @namespace Oqtane.Modules.Controls
-@inherits ModuleBase        
+@inherits ModuleBase
+
 @attribute [OqtaneIgnore]
 @inject IFolderService FolderService
 @inject IFileService FileService
@@ -10,33 +11,36 @@
     <div id="@Id" class="container-fluid px-0">
         <div class="row">
             <div class="col">
-                <div>
-                    <select class="form-control" @onchange="(e => FolderChanged(e))">
-                        @if (string.IsNullOrEmpty(Folder))
-                        {
-                            <option value="-1">&lt;Select Folder&gt;</option>
-                        }
-                        @foreach (Folder folder in _folders)
-                        {
-                            if (folder.FolderId == _folderid)
+                @if (ShowFolders || FolderId <= 0)
+                {
+                    <div>
+                        <select class="form-control" @onchange="(e => FolderChanged(e))">
+                            @if (string.IsNullOrEmpty(Folder))
                             {
-                                <option value="@(folder.FolderId)" selected>@(new string('-', folder.Level * 2))@(folder.Name)</option>
+                                <option value="-1">&lt;Select Folder&gt;</option>
                             }
-                            else
+                            @foreach (Folder folder in _folders)
                             {
-                                <option value="@(folder.FolderId)">@(new string('-', folder.Level * 2))@(folder.Name)</option>
+                                if (folder.FolderId == FolderId)
+                                {
+                                    <option value="@(folder.FolderId)" selected>@(new string('-', folder.Level * 2))@(folder.Name)</option>
+                                }
+                                else
+                                {
+                                    <option value="@(folder.FolderId)">@(new string('-', folder.Level * 2))@(folder.Name)</option>
+                                }
                             }
-                        }
-                    </select>
-                </div>
-                @if (_showfiles)
+                        </select>
+                    </div>
+                }
+                @if (ShowFiles)
                 {
                     <div>
                         <select class="form-control" @onchange="(e => FileChanged(e))">
                             <option value="-1">&lt;Select File&gt;</option>
                             @foreach (File file in _files)
                             {
-                                if (file.FileId == _fileid)
+                                if (file.FileId == FileId)
                                 {
                                     <option value="@(file.FileId)" selected>@(file.Name)</option>
                                 }
@@ -48,33 +52,33 @@
                         </select>
                     </div>
                 }
-                @if (_haseditpermission)
+                @if (ShowUpload && _haseditpermission)
                 {
                     <div>
-                        @if (_uploadmultiple)
+                        @if (UploadMultiple)
                         {
-                            <input type="file" id="@_fileinputid" name="file" accept="@_filter" multiple />
+                            <input type="file" id="@_fileinputid" name="file" accept="@_filter" multiple/>
                         }
                         else
                         {
-                            <input type="file" id="@_fileinputid" name="file" accept="@_filter" />
+                            <input type="file" id="@_fileinputid" name="file" accept="@_filter"/>
                         }
                         <span id="@_progressinfoid"></span><progress id="@_progressbarid" style="width: 150px; visibility: hidden;"></progress>
                         <span class="float-right">
-                        <button type="button" class="btn btn-success" @onclick="UploadFile">Upload</button>
-                        @if (_showfiles && GetFileId() != -1)
-                        {
-                            <button type="button" class="btn btn-danger" @onclick="DeleteFile">Delete</button>
-                        }
+                            <button type="button" class="btn btn-success" @onclick="UploadFile">Upload</button>
+                            @if (_showfiles && GetFileId() != -1)
+                            {
+                                <button type="button" class="btn btn-danger" @onclick="DeleteFile">Delete</button>
+                            }
                         </span>
                     </div>
-                    @((MarkupString)_message)
                 }
+                @((MarkupString) _message)
             </div>
             @if (_image != string.Empty)
             {
                 <div class="col-auto">
-                    @((MarkupString)_image)
+                    @((MarkupString) _image)
                 </div>
             }
         </div>
@@ -84,19 +88,19 @@
 @code {
     private string _id;
     private List<Folder> _folders;
-    private int _folderid = -1;
     private List<File> _files = new List<File>();
-    private int _fileid = -1;
     private bool _showfiles = true;
     private string _fileinputid = string.Empty;
     private string _progressinfoid = string.Empty;
     private string _progressbarid = string.Empty;
     private string _filter = "*";
-    private bool _uploadmultiple = false;
     private bool _haseditpermission = false;
     private string _message = string.Empty;
     private string _image = string.Empty;
     private string _guid;
+    private int _folderId = -1;
+    private bool _uploadMultiple;
+    private int _fileId;
 
     [Parameter]
     public string Id { get; set; } // optional - for setting the id of the FileManager component for accessibility
@@ -105,19 +109,25 @@
     public string Folder { get; set; } // optional - for setting a specific folder by default
 
     [Parameter]
-    public string FolderId { get; set; } // optional - for setting a specific folderid by default
+    public int FolderId { get; set; } = -1; // optional - for setting a specific folderid by default
 
     [Parameter]
-    public string ShowFiles { get; set; } // optional - for indicating whether a list of files should be displayed - default is true
+    public bool ShowFiles { get; set; } = true; // optional - for indicating whether a list of files should be displayed - default is true
 
     [Parameter]
-    public string FileId { get; set; } // optional - for setting a specific file by default
+    public bool ShowUpload { get; set; } = true; // optional - for indicating whether a Upload controls should be displayed - default is true
+
+    [Parameter]
+    public bool ShowFolders { get; set; } = true; // optional - for indicating whether a list of folders should be displayed - default is true
+
+    [Parameter]
+    public int FileId { get; set; } = -1; // optional - for setting a specific file by default
 
     [Parameter]
     public string Filter { get; set; } // optional - comma delimited list of file types that can be selected or uploaded ie. "jpg,gif"
 
     [Parameter]
-    public string UploadMultiple { get; set; } // optional - enable multiple file uploads - default false
+    public bool UploadMultiple { get; set; } = false; // optional - enable multiple file uploads - default false
 
     protected override async Task OnInitializedAsync()
     {
@@ -129,56 +139,39 @@
         if (!string.IsNullOrEmpty(Folder))
         {
             _folders = new List<Folder> {new Folder {FolderId = -1, Name = Folder}};
-            _folderid = -1;
+            FolderId = -1;
         }
         else
         {
             _folders = await FolderService.GetFoldersAsync(ModuleState.SiteId);
-            if (!string.IsNullOrEmpty(FolderId))
-            {
-                _folderid = int.Parse(FolderId);
-            }
         }
 
-        if (!string.IsNullOrEmpty(FileId))
+        if (FileId != -1)
         {
-            _fileid = int.Parse(FileId);
-            if (_fileid != -1)
+            File file = await FileService.GetFileAsync(FileId);
+            if (file != null)
             {
-                File file = await FileService.GetFileAsync(int.Parse(FileId));
-                if (file != null)
-                {
-                    _folderid = file.FolderId;
-                }
-                else
-                {
-                    _fileid = -1; // file does not exist
-                }
+                FolderId = file.FolderId;
+            }
+            else
+            {
+                FileId = -1; // file does not exist
             }
-            await SetImage();
-        }
-        if (!string.IsNullOrEmpty(ShowFiles))
-        {
-            _showfiles = bool.Parse(ShowFiles);
         }
+        await SetImage();
 
         if (!string.IsNullOrEmpty(Filter))
         {
-            _filter = "." + Filter.Replace(",",",.");
+            _filter = "." + Filter.Replace(",", ",.");
         }
 
         await GetFiles();
 
-        // create unique id for component
+    // create unique id for component
         _guid = Guid.NewGuid().ToString("N");
         _fileinputid = _guid + "FileInput";
         _progressinfoid = _guid + "ProgressInfo";
         _progressbarid = _guid + "ProgressBar";
-
-        if (!string.IsNullOrEmpty(UploadMultiple))
-        {
-            _uploadmultiple = bool.Parse(UploadMultiple);
-        }
     }
 
     private async Task GetFiles()
@@ -191,11 +184,11 @@
         }
         else
         {
-            Folder folder = _folders.FirstOrDefault(item => item.FolderId == _folderid);
+            Folder folder = _folders.FirstOrDefault(item => item.FolderId == FolderId);
             if (folder != null)
             {
-                _haseditpermission = UserSecurity.IsAuthorized(PageState.User,PermissionNames.Edit, folder.Permissions);
-                _files = await FileService.GetFilesAsync(_folderid);
+                _haseditpermission = UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, folder.Permissions);
+                _files = await FileService.GetFilesAsync(FolderId);
             }
             else
             {
@@ -222,9 +215,9 @@
         _message = string.Empty;
         try
         {
-            _folderid = int.Parse((string)e.Value);
+            FolderId = int.Parse((string) e.Value);
             await GetFiles();
-            _fileid = -1;
+            FileId = -1;
             _image = string.Empty;
             StateHasChanged();
         }
@@ -238,7 +231,7 @@
     private async Task FileChanged(ChangeEventArgs e)
     {
         _message = string.Empty;
-        _fileid = int.Parse((string)e.Value);
+        FileId = int.Parse((string) e.Value);
 
         await SetImage();
         StateHasChanged();
@@ -247,21 +240,21 @@
     private async Task SetImage()
     {
         _image = string.Empty;
-        if (_fileid != -1)
+        if (FileId != -1)
         {
-            File file = await FileService.GetFileAsync(_fileid);
+            File file = await FileService.GetFileAsync(FileId);
             if (file != null && file.ImageHeight != 0 && file.ImageWidth != 0)
             {
                 var maxwidth = 200;
                 var maxheight = 200;
 
-                var ratioX = (double)maxwidth / (double)file.ImageWidth;
-                var ratioY = (double)maxheight / (double)file.ImageHeight;
+                var ratioX = (double) maxwidth / (double) file.ImageWidth;
+                var ratioY = (double) maxheight / (double) file.ImageHeight;
                 var ratio = ratioX < ratioY ? ratioX : ratioY;
 
-                _image = "<img src=\"" + ContentUrl(_fileid) + "\" alt=\"" + file.Name +
-                    "\" width=\"" + Convert.ToInt32(file.ImageWidth * ratio).ToString() +
-                    "\" height=\"" + Convert.ToInt32(file.ImageHeight * ratio).ToString() + "\" />";
+                _image = "<img src=\"" + ContentUrl(FileId) + "\" alt=\"" + file.Name +
+                         "\" width=\"" + Convert.ToInt32(file.ImageWidth * ratio).ToString() +
+                         "\" height=\"" + Convert.ToInt32(file.ImageHeight * ratio).ToString() + "\" />";
             }
         }
     }
@@ -281,7 +274,7 @@
                 }
                 else
                 {
-                    result = await FileService.UploadFilesAsync(_folderid, upload, _guid);
+                    result = await FileService.UploadFilesAsync(FolderId, upload, _guid);
                 }
 
                 if (result == string.Empty)
@@ -295,7 +288,7 @@
                         var file = _files.Where(item => item.Name == upload[0]).FirstOrDefault();
                         if (file != null)
                         {
-                            _fileid = file.FileId;
+                            FileId = file.FileId;
                             await SetImage();
                         }
                     }
@@ -325,21 +318,21 @@
 
         try
         {
-            await FileService.DeleteFileAsync(_fileid);
-            await logger.LogInformation("File Deleted {File}", _fileid);
+            await FileService.DeleteFileAsync(FileId);
+            await logger.LogInformation("File Deleted {File}", FileId);
             _message = "<br /><div class=\"alert alert-success\" role=\"alert\">File Deleted</div>";
             await GetFiles();
-            _fileid = -1;
+            FileId = -1;
             await SetImage();
             StateHasChanged();
         }
         catch (Exception ex)
         {
-            await logger.LogError(ex, "Error Deleting File {File} {Error}", _fileid, ex.Message);
+            await logger.LogError(ex, "Error Deleting File {File} {Error}", FileId, ex.Message);
             _message = "<br /><div class=\"alert alert-danger\" role=\"alert\">Error Deleting File</div>";
         }
     }
 
-    public int GetFileId() => _fileid;
+    public int GetFileId() => FileId;
 
 }

From 9850e249fc913a65d2124feaa88918681cb44875 Mon Sep 17 00:00:00 2001
From: Pavel Vesely <pavel@vesely.dev>
Date: Fri, 15 May 2020 08:20:00 +0200
Subject: [PATCH 5/7] File Controller bug

---
 Oqtane.Server/Controllers/FileController.cs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Oqtane.Server/Controllers/FileController.cs b/Oqtane.Server/Controllers/FileController.cs
index 0c30bbdf..0bfe1de2 100644
--- a/Oqtane.Server/Controllers/FileController.cs
+++ b/Oqtane.Server/Controllers/FileController.cs
@@ -413,8 +413,11 @@ namespace Oqtane.Controllers
                     {
                         _logger.Log(LogLevel.Error, this, LogFunction.Read, "File Does Not Exist {FileId} {FilePath}", id, filepath);
                         HttpContext.Response.StatusCode = 404;
-                        byte[] filebytes = System.IO.File.ReadAllBytes(errorpath);
-                        return File(filebytes, "application/octet-stream", file.Name);
+                        if (System.IO.File.Exists(errorpath))
+                        {
+                            byte[] filebytes = System.IO.File.ReadAllBytes(errorpath);
+                            return File(filebytes, "application/octet-stream", file.Name);
+                        }
                     }
                 }
                 else
@@ -432,6 +435,7 @@ namespace Oqtane.Controllers
                 byte[] filebytes = System.IO.File.ReadAllBytes(errorpath);
                 return File(filebytes, "application/octet-stream", "error.png");
             }
+            return null;
         }
 
         private string GetFolderPath(Folder folder)

From 13adebb36c81930e3c965181ec119c4878e00497 Mon Sep 17 00:00:00 2001
From: Jim Spillane <james.a.spillane@gmail.com>
Date: Fri, 15 May 2020 23:12:24 -0400
Subject: [PATCH 6/7] Add File Name validation

Apply file name validation rules to the File Controller and client.
---
 Oqtane.Client/Modules/Admin/Files/Add.razor |  35 +++--
 Oqtane.Server/Controllers/FileController.cs | 147 +++++++++++---------
 2 files changed, 110 insertions(+), 72 deletions(-)

diff --git a/Oqtane.Client/Modules/Admin/Files/Add.razor b/Oqtane.Client/Modules/Admin/Files/Add.razor
index 653f5cf3..9f19370d 100644
--- a/Oqtane.Client/Modules/Admin/Files/Add.razor
+++ b/Oqtane.Client/Modules/Admin/Files/Add.razor
@@ -1,4 +1,5 @@
 @namespace Oqtane.Modules.Admin.Files
+@using System.IO
 @inherits ModuleBase
 @inject NavigationManager NavigationManager
 @inject IFileService FileService
@@ -70,18 +71,32 @@
 
     private async Task Download()
     {
+        if (url == string.Empty || _folderId == -1)
+        {
+            AddModuleMessage("You Must Enter A Url And Select A Folder", MessageType.Warning);
+            return;
+        }
+
+        var filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1);
+
+        if (!Constants.UploadableFiles.Split(',')
+                .Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
+            {
+                AddModuleMessage("File Could Not Be Downloaded From Url Due To Its File Extension", MessageType.Warning);
+                return ;
+            }
+
+        if (!filename.IsPathOrFileValid())
+        {
+            AddModuleMessage("You Must Enter A Url With A Valid File Name", MessageType.Warning);
+            return;
+        }
+
         try
         {
-            if (url != string.Empty && _folderId != -1)
-            {
-                await FileService.UploadFileAsync(url, _folderId);
-                await logger.LogInformation("File Downloaded Successfully From Url {Url}", url);
-                AddModuleMessage("File Downloaded Successfully From Url", MessageType.Success);
-            }
-            else
-            {
-                AddModuleMessage("You Must Enter A Url And Select A Folder", MessageType.Warning);
-            }
+            await FileService.UploadFileAsync(url, _folderId);
+            await logger.LogInformation("File Downloaded Successfully From Url {Url}", url);
+            AddModuleMessage("File Downloaded Successfully From Url", MessageType.Success);
         }
         catch (Exception ex)
         {
diff --git a/Oqtane.Server/Controllers/FileController.cs b/Oqtane.Server/Controllers/FileController.cs
index 0bfe1de2..0c4bfad6 100644
--- a/Oqtane.Server/Controllers/FileController.cs
+++ b/Oqtane.Server/Controllers/FileController.cs
@@ -189,41 +189,54 @@ namespace Oqtane.Controllers
         {
             Models.File file = null;
             Folder folder = _folders.GetFolder(int.Parse(folderid));
-            if (folder != null && _userPermissions.IsAuthorized(User, PermissionNames.Edit, folder.Permissions))
-            {
-                string folderPath = GetFolderPath(folder);
-                CreateDirectory(folderPath);
-                string filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1);
-                // check for allowable file extensions
-                if (Constants.UploadableFiles.Split(',').Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
-                {
-                    try
-                    {
-                        var client = new WebClient();
-                        string targetPath = Path.Combine(folderPath, filename);
-                        // remove file if it already exists
-                        if (System.IO.File.Exists(targetPath))
-                        {
-                            System.IO.File.Delete(targetPath);
-                        }
 
-                        client.DownloadFile(url, targetPath);
-                        _files.AddFile(CreateFile(filename, folder.FolderId, targetPath));
-                    }
-                    catch
-                    {
-                        _logger.Log(LogLevel.Error, this, LogFunction.Create, "File Could Not Be Downloaded From Url {Url}", url);
-                    }
-                }
-                else
-                {
-                    _logger.Log(LogLevel.Error, this, LogFunction.Create, "File Could Not Be Downloaded From Url Due To Its File Extension {Url}", url);
-                }
-            }
-            else
+            if (folder == null || !_userPermissions.IsAuthorized(User, PermissionNames.Edit, folder.Permissions))
             {
-                _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Download File {Url} {FolderId}", url, folderid);
+                _logger.Log(LogLevel.Error, this, LogFunction.Create,
+                    "User Not Authorized To Download File {Url} {FolderId}", url, folderid);
                 HttpContext.Response.StatusCode = 401;
+                return file;
+            }
+
+            string folderPath = GetFolderPath(folder);
+            CreateDirectory(folderPath);
+
+            string filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1);
+            // check for allowable file extensions
+            if (!Constants.UploadableFiles.Split(',')
+                .Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Create,
+                    "File Could Not Be Downloaded From Url Due To Its File Extension {Url}", url);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
+                return file;
+            }
+
+            if (!filename.IsPathOrFileValid())
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Create,
+                    $"File Could Not Be Downloaded From Url Due To Its File Name Not Allowed {url}");
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
+                return file;
+            }
+
+            try
+            {
+                var client = new WebClient();
+                string targetPath = Path.Combine(folderPath, filename);
+                // remove file if it already exists
+                if (System.IO.File.Exists(targetPath))
+                {
+                    System.IO.File.Delete(targetPath);
+                }
+
+                client.DownloadFile(url, targetPath);
+                file = _files.AddFile(CreateFile(filename, folder.FolderId, targetPath));
+            }
+            catch
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Create,
+                    "File Could Not Be Downloaded From Url {Url}", url);
             }
 
             return file;
@@ -233,46 +246,56 @@ namespace Oqtane.Controllers
         [HttpPost("upload")]
         public async Task UploadFile(string folder, IFormFile file)
         {
-            if (file.Length > 0)
+            if (file.Length <= 0)
             {
-                string folderPath = "";
+                return;
+            }
 
-                if (int.TryParse(folder, out int folderId))
+            if (!file.FileName.IsPathOrFileValid())
+            {
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
+                return;
+            }
+            
+            string folderPath = "";
+
+            if (int.TryParse(folder, out int folderId))
+            {
+                Folder virtualFolder = _folders.GetFolder(folderId);
+                if (virtualFolder != null &&
+                    _userPermissions.IsAuthorized(User, PermissionNames.Edit, virtualFolder.Permissions))
                 {
-                    Folder virtualFolder = _folders.GetFolder(folderId);
-                    if (virtualFolder != null && _userPermissions.IsAuthorized(User, PermissionNames.Edit, virtualFolder.Permissions))
-                    {
-                        folderPath = GetFolderPath(virtualFolder);
-                    }
+                    folderPath = GetFolderPath(virtualFolder);
                 }
-                else
+            }
+            else
+            {
+                if (User.IsInRole(Constants.HostRole))
                 {
-                    if (User.IsInRole(Constants.HostRole))
-                    {
-                        folderPath = GetFolderPath(folder);
-                    }
+                    folderPath = GetFolderPath(folder);
+                }
+            }
+
+            if (folderPath != "")
+            {
+                CreateDirectory(folderPath);
+                using (var stream = new FileStream(Path.Combine(folderPath, file.FileName), FileMode.Create))
+                {
+                    await file.CopyToAsync(stream);
                 }
 
-                if (folderPath != "")
+                string upload = await MergeFile(folderPath, file.FileName);
+                if (upload != "" && folderId != -1)
                 {
-                    CreateDirectory(folderPath);
-                    using (var stream = new FileStream(Path.Combine(folderPath, file.FileName), FileMode.Create))
-                    {
-                        await file.CopyToAsync(stream);
-                    }
-
-                    string upload = await MergeFile(folderPath, file.FileName);
-                    if (upload != "" && folderId != -1)
-                    {
-                        _files.AddFile(CreateFile(upload, folderId, Path.Combine(folderPath, upload)));
-                    }
-                }
-                else
-                {
-                    _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Upload File {Folder} {File}", folder, file);
-                    HttpContext.Response.StatusCode = 401;
+                    _files.AddFile(CreateFile(upload, folderId, Path.Combine(folderPath, upload)));
                 }
             }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Create,
+                    "User Not Authorized To Upload File {Folder} {File}", folder, file);
+                HttpContext.Response.StatusCode = 401;
+            }
         }
 
         private async Task<string> MergeFile(string folder, string filename)

From 96f5668a3bf6f9278e4f0c174db010a990f06804 Mon Sep 17 00:00:00 2001
From: Pavel Vesely <pavel@vesely.dev>
Date: Sat, 16 May 2020 08:40:30 +0200
Subject: [PATCH 7/7] Setting service bug.

---
 Oqtane.Client/Services/SettingService.cs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/Oqtane.Client/Services/SettingService.cs b/Oqtane.Client/Services/SettingService.cs
index c5cf45c4..451e97b8 100644
--- a/Oqtane.Client/Services/SettingService.cs
+++ b/Oqtane.Client/Services/SettingService.cs
@@ -1,4 +1,5 @@
-using Oqtane.Models;
+using System;
+using Oqtane.Models;
 using System.Threading.Tasks;
 using System.Net.Http;
 using System.Linq;
@@ -103,10 +104,10 @@ namespace Oqtane.Services
         public async Task UpdateSettingsAsync(Dictionary<string, string> settings, string entityName, int entityId)
         {
             var settingsList = await GetJsonAsync<List<Setting>>($"{Apiurl}?entityname={entityName}&entityid={entityId}");
-            
+
             foreach (KeyValuePair<string, string> kvp in settings)
             {
-                Setting setting = settingsList.FirstOrDefault(item => item.SettingName == kvp.Key);
+                Setting setting = settingsList.FirstOrDefault(item => item.SettingName.Equals(kvp.Key,StringComparison.OrdinalIgnoreCase));
                 if (setting == null)
                 {
                     setting = new Setting();